The User Experience of Digital Signatures

How about that for a boring title? But it’s something that bothers me quite regularly. Why is it that “asymmetric encryption” appears to be fundamentally beyond the understanding of anyone who doesn’t work directly with computers?

It’s now become such an issue for me that I’ve written to my MP about it.

But before you write me off as some parliamentary postbag loony, consider what’s pushed me over the edge on this issue: the UK government’s Communications Data Bill.

Until now, the question of why so few people seem neither to know nor care about digital certificates in their use of the Internet has appeared to me as basically frustrating, but not worth getting too upset about. Ever since I first saw the famous New Yorker cartoon about identity on the net, I have wondered why it is that people appear to think that being confident in the identity of anyone on line is like being confident in the existence of pixies at the bottom of the garden. Pixies probably don’t exist, but confidence in who you are communicating with in the digital world most definitely does. In fact, if you take in network effects and chains of trust, verifying identity can be more reliable (and certainly thousands of times easier) than in the physical world.

Now it strikes me that if such things were more widely understood, then the government would not have made such a colossal screw-up of the drafting of the Communications Data Bill. Here’s my letter to my MP on the subject:

I write to you concerning the Communications Data Bill, and specifically about how the government will be able to obtain “data” from users of the Internet.

Despite Home Office assurances to the contrary, in order for the government to gather communications data, it must also gather communications content (cf. this article http://goo.gl/vwKKl). But in gathering any of that, it would also have to circumvent checks that many web sites such as Amazon (and web-based email services such as Yahoo! or Gmail) use to authenticate themselves to their users’ browsers. If this authentication fails, users are given a warning not to proceed (as here: https://mark.goodge.co.uk)

Without complete (and world-wide) co-operation between Internet service providers and the writers of all web browsers, circumvention is an impossible task. At least, it will be impossible without unacceptable service interruption. More to the point, if the government tries it, and users of UK-based websites have to pass through a warning such as that shown above, it may well seriously affect this country’s Internet industry. I work for a large US multi-national ecommerce company based in London, and the provisions of this Bill makes me concerned about the future of my career in the UK.

I look forward to your views on this point and indeed about the Bill in general. Please note that this is not by any means my only objection to the Bill, but I would like to know if you have considered this aspect of it.

The Bill has been drafted by people who think that New Yorker cartoon is in some way immutable. Yet in fact when you use Amazon, Google, Yahoo! and countless other web sites (but not yet email, or perhaps chat services like Skype) your web browser is designed to make sure they are in fact those sites and not imposters – or the UK government.

But the fact that people don’t know this is shown by the utterly preventable crime of phishing attacks, and now the utterly stupid Communications Data Bill. So what is it about the concept of digital certificates and online trust relationships that is so hard to understand? Teach it in schools? Public service announcements? Better browser experience? Something has to be done!